Don't know about you, but I've always wanted to know the things they don't want me to know. Not for political or monetary gain, but just because I'm not supposed to. For instance, wouldn't you just love to know how fine is the detail that U.S. spy satellites can resolve on the ground? (Cold War joke: a sign on the roof of the Pentagon says, in 6-inch-high letters: "If you can read this / you're where we were / 8 years ago.") Wouldn't you love to know if the NSA and/or the CIA is really listening in on U.S. citizens' phone and Internet traffic? (One of my favorite .sig's, originator unknown, reads: "The NSA is now funding research not only in cryptography, but in all areas of advanced mathematics. If you'd like a circular describing these new research opportunities, just pick up your phone, call your mother, and ask for one.") Wouldn't you love to know whether the NSA can break messages encrypted with a 512-bit PGP key?
On 1996-01-28 Harvard Law School hosted a symposium titled "Information,
National Policies, and International Infrastructure." Paul Strassmann
The note makes some alarming claims about what the presenters said in answer
to questions at this symposium. I wrote to Strassmann and Marlow about the
accuracy of these observations. Strassmann replied today that what the
attendee reported was a personal interpretation of what had been said and was
out of context. They plan to issue a statement correcting what was reported.
I'll post a pointer to it here, assuming the authors grant permission.
Note: URLs [2]
and [3] below were
obtained from an Alta Vista search
[4].
You may have trouble following these links. In particular
[2]
resides on
Alta Vista's Usenet spool and its lifetime there will be at most two weeks.
[3] will work only from a
Netscape browser; and at the moment the Domain
Name Service is disclaiming knowledge of anon.penet.fi. Reissuing the Alta
Vista search
[4]
might turn up more hits later as other Usenet newsgroups'
traffic is indexed by the superspider.
[1] http://www.strassmann.com/pubs/anon-remail.html
[2] http://ww2.altavista.digital.com/cgi-bin/news?msg@1142@alt%2eprivacy%2eanon%2dserver
[3] news:132317Z03031996@anon.penet.fi
[4] http://altavista.digital.com/cgi-bin/query?pg=aq&what=news&fmt=d&q=Strassman+and+Marlow+and+Chaarles&r=&d0=&d1=&text=yes
[4a] http://metacrawler.cs.washington.edu:8080/
[4b] http://www.metatrout.com/~jwehling/NSARemailer.html>
[4c] http://www.consilpdx.com/~jwehling/NSARemailer.html>
[4d] 'The intelligence coup of the century'
[4e] https://is.gd/gZEWiV
![]() |
Cryptography export policy See also TBTF for 2000-02-06, 1999-10-05, 08-30, 08-23, 08-16, 07-26, 05-22, 05-08, 04-21, 03-01, 01-26, more... |
On 1996-03-05 Senator Patrick Leahy (D-VT) introduced the Encrypted Communications Privacy Act of 1996 in the Senate and held a press conference with Senate and House cosponsors. The Senate [5] and House [6] versions differ somewhat; only the Senate version makes any reference to key-escrow schemes that the administration has been pushing, and consumers and corporations rejecting, for several years. The bills would waive export restrictions on such "generally available" software as PGP and popular Web browsers. They would impose criminal penalties for the use of encryption in the commision of a crime. While most civil liberties and privacy organizations applaud the bills as a good start, all have some issues with it. See the analyses of EPIC [7], CDT [8], and VTW [9]. EPIC [7] in particular catches subtle implications in the Senate bill that would prolong the NSA's unwelcome involvement in commercial encryption. Two noted cryptgraphers, Matt Blaze [10] and Bruce Schneier [11], have written open letters to Sen. Leahy that generally praise the bill but express reservations with the provisions criminalizing some uses of encryption.
[5] http://www.epic.org/crypto/legislation/s1587.html
[6] http://www.vtw.org/archive/960305_235808
[7] http://www.epic.org/crypto/legislation/s1587_analysis.html
[8] http://www.cdt. org/publications/pp_2.9.html
[9] http://www.vtw.org/archive/960305_120857
[10] http://www.vtw.org/archive/960305_124928
[11] http://www.vtw.org/archive/960306_000807
![]() |
Net telephony See also TBTF for 1996-04-21, 03-24, 03-10 |
On 1996-03-04 a group of long-distance carriers petitioned the Federal Communications Commission to stop companies from selling software and hardware products that enable use of the Internet for long-distance voice calls. A handful of companies sell software, mostly in the $50 range, for this purpose; the free software is even more plentiful [12], [13]. At first glance these tools don't look like much of a threat to established long-distance carriers. The quality of Internet phone connections is generally poor and they are subject to the unreliability that characterizes the overloaded Net today. Also, the various software packages aren't compatible; you can only talk to someone who has the same software you do. One estimate puts the current number of users at 20,000 according to a story in the _Boston Globe_ today. The FCC has moved with uncharacteristic speed in scheduling public comment on the question; petitions for rule-making commonly sit for weeks or months without action, but within 2 days the agency had set an April 8 date for comments.
[12] http://rpcp.mit.edu/~asears/main.html
[13] http://www.northcoast.com/savetz/voice-faq.html
Dan Bricklin
Here is a description of Bricklin's star turn from Nando, the official
newspaper of Demo 96:
> The most entertaining event of the day was Dan Bricklin's demo of
[14] http://www.pcletter.com/PC%20Letter%20Online/bricklin.html
> ChiaPaint. At first it appeared to be a Java-based variation on Kid-
> Pix, where you could mark up clip art with goofy tools like "fur" or
> "lots 'o hair," but as Bricklin encountered a series of ever more
> ridiculous error messages, most of which demanded that he enter his
> credit card number to extend his license for various Java objects,
> it became clear that it was a satire of the Sun-Oracle vision of net-
> work-centric computing -- a vision that, judging from the audience's
> howls of laughter, most of them don't share. The final punchline was
> that the joke was also a real demo -- of Bricklin's demo-it utility.
[15] http://www.pcletter.com/dbreadme.html
Kevin McCurley
[16] http://www.tbtf.com/archive/1995-12-31.html
[17] http://www.swcp.com/~mccurley/cryptographers/cryptographers.html
First there was Four11
[18]; then there was WhoWhere
[19]; then a half-dozen
others. In the same way that Alta Vista
[20] trumped the full-text, full-Web
search engines, SwitchBoard
[21] has trumped the
people-finding Web pages.
This site gives you free access to the 100 million personal and business
listings in the Database America CD-ROM; and you can write to it too. The
site certainly raises disturbing questions of privacy. My phone number and
address are visible to the greater Internet, until and unless I visit
From Ryan Conley <nfn00634 at naples dot net>, 1996-03-26: "Switchboard at first seems first-rate, but there is one staggering shortcoming. It has a limit (about 10 letters) to how long a name can be to be included in the database. For instance, the computer believes that there is no one in the whole country with the first name of 'Christopher.' It's too long. Try it and see. I have sent them mail about this."
[18] http://www.four11.com/
[19] http://www.whowhere.com/
[20] http://www.altavista.digital.com/
[21] http://www.switchboard.com/
Between 1995-10-15 to 1995-11-31, six Macintosh Internet companies offered a $10,000 prize to anyone who could read one protected line from a particular public Web page; the target was secured only by off-the-shelf Macintosh software (StarNine's WebSTAR server and NetCloak, a CGI application from Maxum Development). The goal was to raise awareness of the Macintosh server as a highly secure Web platform. The results [22] of the challenge were published in TidBITS. Bottom line: no-one collected.
[22] http://www.dartmouth.edu/pages/TidBITS/issues/TidBITS-317.html#s5
![]() |
Java and JavaScript security See also TBTF for 1997-09-15, 08-11, 07-21, 07-14, 1996-03-17, 03-10, 02-27, 02-19 |
Responding to the publicity about security holes in Navigator 2.0 resulting
from the JavaScript language implementation, Netscape has promised to fix at
least two of the three outstanding problems in a release 2.01 due out this
week. On 1996-02-29 Brendan Eich
[23] http://www.tbtf.com/archive/1996-02-27.html
[24] snews://secnews.netscape.com/31367495.7AAE@atm.mcom.com
Security (3): Another hole in Java, fixed
On 1996-02-18, Drew Dean
[25] http://www.cs.princeton.edu/~ddean/java
[26] http://www.netscape.com/comprod/mirror/java-patch-download.html
[27] http://www.netscape.com/newsref/std/java_security.html
I found the pointer to this engrossing account
[28]
(OK, it's engrossing if
you are now or have ever been a programmer) on Rich Graves's
[28] <ftp://ftp.ora.com/pub/examples/windows/win95.update/regwiz.html>
[29] <http://www.c2.org/hackmsoft/>
[30] <http://www.tbtf.com/archive/1995-05-23.html>
>>From Edupage (1996-03-03):
> FLAW FOUND IN KERBEROS SECURITY SYSTEM
> Researchers at Purdue University have discovered a flaw in the popular
> Kerberos computer-security system that affects the way Version 4 of the
> software creates the secret keys for encryption. The problem does not
> affect Version 5, unless it is run in a way that emulates Version 4. The
> software is supposed to select its keys randomly from among billions of
> numbers, but the problem occurs in the random-number generator, which is
> selecting from a much smaller pool of perhaps a million or so, making it
> much easier for an intruder to crack the key. "Basically, we can forge
> any key in a matter of seconds," says Purdue professor Eugene Spafford.
> The CERT Coordination Center at Carnegie Mellon University has issued an
> advisory on the problem -- CA-96.03 -- and recommends using "patches" to
> fix the flaw. < http://www.sei.cmu.edu/technology/cert.cc.html >
> (Chronicle of Higher Education 1 Mar 96 A29)
Thanks to those of you who wrote with suggestions and comments about the
style of URL references in TBTF. A good number took the time to say com-
plimentary things about the newsletter -- thanks for those too. There was
a wide wingspan of opinion and in the end I agreed with those of you who
expressed a view that can be characterized as "It's your newsletter, do
whatever you ruddy well want. Just keep on doing it." So be it.
>>TidBITS -- mail listserv@ricevm1.rice.edu without subject and with
> message: subscribe TidBITS Your Name .
>>Edupage -- mail listproc@educom.edu without subject and with
> message: subscribe edupage <your name> .
TBTF HOME |
CURRENT ISSUE |
TBTF LOG |
TABLE OF CONTENTS |
TBTF THREADS |
SEARCH TBTF |